Scope. The Act would apply to “online platforms”—broadly defined to include public-facing websites or applications, as well as social networks, ad networks, search engines, email services, mobile operating systems, and Internet access services—that collect personal data from users. The Act defines “personal data” to include physical addresses, email addresses, telephone numbers, government identifiers, geolocation information, the content of messages, and protected health and financial information as defined in the HIPAA privacy rule and Gramm-Leach-Bliley Act respectively.

Transparency and Choice. The Act would require a covered online platform to disclose its practices regarding the collection and use of personal data, including information about who can access users’ personal data and how that data is used. In addition, an online platform must provide new users with an opportunity to opt-out from its default data collection and use practices and obtain affirmative opt-in consent from existing users before introducing new products or making material changes to that user’s existing privacy preferences. Online platforms must also ensure that users can withdraw their consent to data collection and use practices at any time. To the extent a service is inoperable without the collection or use of a user’s personal data, an online platform may deny services or access to users who do not consent to the necessary data practices.

Breach Notification. The Act would require covered online platforms to provide notice to affected users within 72 hours after becoming aware that personal data has been transmitted in a manner contrary to the privacy preferences specified by the user. This notification threshold applies whether or not the transmission of personal data creates a reasonable risk of harm to the affected user.

Additional Obligations. The Act would require covered online platforms to make a user’s personal data inaccessible within 30 days of that user closing his or her account or otherwise terminating his or her use of the service and to furnish users with a copy of the personal data retained by the online platform, including a list of third-parties to whom that personal data has been disclosed.

FTC Enforcement Authority. While the Act would not give the FTC rulemaking authority, it would treat violations of its substantive provisions as violations of “a rule defining an unfair or deceptive act or practice,” thereby providing the FTC with authority to impose civil penalties pursuant to 15 U.S.C. § 45(m).

Preemption. The Act would authorize state attorneys general to bring cases for violations of its provisions on behalf of consumers in federal court and would not preempt state enforcement of existing privacy and breach notification statutes, thereby adding to the patchwork of various overlapping state and federal cybersecurity and data privacy regimes, without harmonizing them.

We will continue to monitor the Social Media Privacy Protection and Consumer Rights Act and other legislative proposals, and will provide updates here at the Davis Polk Cyber Blog as they progress.

Mr. Leibowitz is a partner in Davis Polk’s Washington DC and New York offices. His practice focuses on the complex antitrust aspects of mergers and acquisitions as well as government and private antitrust investigations and litigation. He also provides counsel in the developing areas of consumer protection and privacy law as well as advocacy involving Congress. [Full Bio]

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Attorney Advertising. Prior results do not guarantee a similar outcome.

Disclaimer

dpwcyberblog.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of dpwcyberblog.com and its component parts, Davis Polk is acting as an information provider.

dpwcyberblog.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. Davis Polk & Wardwell LLP shall not be liable for any loss that may arise from any reliance on dpwcyberblog.com or its component parts. If you have any comments or questions, please contact cyberblog@davispolk.com